Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Bugtraq>
  3. Bugtraq
fpf module and packet fragmentation:local/remote DoS.
prp_sc at antionline
Jun 2, 2001, 1:45 PM
Post #1 of 2 (1736 views)
Permalink
Fpf kernel module by |CyRaX| [cyrax@pkcrew.org] (www.pkcrew.org) alters linux tcp/ip stack to emulate other OS'es against nmap/queso fingerprints using parser by FuSyS that reads nmap-os-fingerprints
for os emulation choice.

However, attempts to send fragmented packets to local or remote machine with nmap (-sS -f, -sN -f, -sX -f, -sF -f, -sA -f) or hping (hping -f) using host with loaded fpf.o lead to kernel panic ("Aiee, killing interrupt handle. Kernel panic: Attempted to kill the idle task ! In interrupt handler - not syncing.") if run from console or force immediate reboot if the packet sending tool is run from an xterm. When fpf.o - running machine recieves nmap / hping fragmented packets from remote hosts system freezes.

Security through obscurity was never a pefect solution, but in the current case there is also a hefty price to pay: complete inability of tcp/ip stack of "obscured" machine to deal with packet fragmentation.

Tested on Slackware 7.1 kernel 2.2.16 (i386).

Regards,

_clf3_ (PrP_Sc@antionline.org)

Veneficio, ergo sum.







------------------------------------------------------------
Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
AntiOnline - The Internet's Information Security Super Center!
Re: fpf module and packet fragmentation:local/remote DoS. [ In reply to ]
styx at mailbox
Jan 10, 1999, 7:03 AM
Post #2 of 2 (1652 views)
Permalink
"XR Agent" <prp_sc@antionline.org> wrote:

> Fpf kernel module by |CyRaX| [cyrax@pkcrew.org] (www.pkcrew.org) alters
linux tcp/ip stack to emulate other OS'es against nmap/queso fingerprints
using parser by FuSyS that reads nmap-os-fingerprints
> for os emulation choice.
>
> However, attempts to send fragmented packets to local or remote machine
with nmap (-sS -f, -sN -f, -sX -f, -sF -f, -sA -f) or hping (hping -f)
using host with loaded fpf.o lead to kernel panic ("Aiee, killing interrupt
handle. Kernel panic: Attempted to kill the idle task ! In interrupt
handler - not syncing.") if run from console or force immediate reboot if
the packet sending tool is run from an xterm. When fpf.o - running machine
recieves nmap / hping fragmented packets from remote hosts system freezes.
>
> Security through obscurity was never a pefect solution, but in the
current case there is also a hefty price to pay: complete inability of
tcp/ip stack of "obscured" machine to deal with packet fragmentation.
>
> Tested on Slackware 7.1 kernel 2.2.16 (i386).
>
> Regards,
>
> _clf3_ (PrP_Sc@antionline.org)
>
> Veneficio, ergo sum.
>
>
>
>
>
>
>
> ------------------------------------------------------------
> Email account furnished courtesy of AntiOnline -
http://www.AntiOnline.com
> AntiOnline - The Internet's Information Security Super Center!
>
>

Have you reported this to |CyRaX| himself? I bet you haven't. I reported
this a few months ago, and it has been fixed. I don't know if the version
available at pkcrew.org is updated, but you should at least have notified
|CyRaX| something like a week before you posted this to bugtraq.

Regards

--
Joachim Blaabjerg
styx@mailbox.as
www.SuxOS.org

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal